For Security Awareness Training That Sticks, Remember Your ABCs

If being aware of bad behaviors effectively stopped them, then there would be no intoxicated drivers, smokers or people eating unhealthy foods. Year after year, industry surveys reveal that human error provides the primary point of entry for cyberattacks. The default solution for many is to provide more security awareness training. However, a large percentage of employees continue to fail tests even after receiving training.

Providing training without a clear understanding for how humans learn is not likely to produce effective outcomes. To maximize security awareness training effectiveness, employees need to be reached through three “channels”: attitude, behavior and cognition. Each channel may interact and influence the others, but each should be considered independently. 

Attitude: Feelings Toward Security

Psychologists broadly define attitude as the feeling or affective response that an individual experiences, either generally or toward a specific entity. If employees do not feel invested in security or feel that it is not their job, they are unlikely to have the motivation to adopt good cyber hygiene habits.

In addition to security awareness training considerations, it is also critical to understand how attitudes can fluctuate in different contexts. A recent study found that most security failures result from employees experiencing high levels of stress even while they were motivated to follow secure protocols.[1] This deviation from secure practices indicates that regardless of employee attitudes, habits also need to be trained.   

Behavior: What People Do Regardless of How They Feel

While education helps improve employee attitudes toward security, the goal is to improve actual behaviors. Much of human behavior is unconsciously driven through habits and associations.

Security awareness training modules instruct users to avoid clicking embedded hyperlinks in phishing emails, for example. But at the same time users’ everyday experience is clicking links without consequence, which reinforces the habit of clicking links. Creating secure habits is critical but employees still need to have the knowledge to avoid new threats as they emerge.   

Cognition: Adding Context to Knowledge About Threats

A significant portion of awareness training focuses on specific tactics employed by malicious actors, such as phishing emails, vishing calls, malicious USB drives and other threats. Collectively, these are the “whats” of information security. While knowing about specific attacks can be helpful, employees also need to know the “whys” behind these attacks.

Learning that phishing emails are sent within the context of attempting to steal credentials helps employees understand criminal goals and avoid similar attacks. Another advantage of this approach is that it provides a more elaborate understanding of threats, which increases employee memory retention of learning objectives. 

Leveraging the ABCs for More Effective Security Awareness Training

Security mistakes happen — a lot. Over 80% of security professionals recently surveyed by Mimecast said their organization had been hit by an attack where the threat spread from one infected user to other employees. More often than not, this happened despite training. Working across the three learning channels can help lower risk in the following ways:

• Attitude: Ignoring employee “buy-in” is a critical mistake committed by many security awareness training programs. Employees need to adopt the attitude that security is everyone’s responsibility. Just because employees are aware does not mean they care, even though they might not admit this in surveys.[2]Utilizing engaging content that learners find enjoyable is an effective way to increase employee investment in training lessons and can lead to better security hygiene later. Good cyber hygiene habits can also carry over from one environment to the next. Educating employees how to keep their families secure online increases investment in secure behaviors and will benefit their employers, especially with substantial numbers now working from home. 
• Behavior: There is simply no way to train employees at the behavioral level with a slide presentation; employees need practice identifying and avoiding phishy emails. In fact, one of the downsides of having more effective anti-spam filters is that employees lack enough exposure to potentially malicious emails, which can paradoxically make them less safe. Maximize training through this channel by making security awareness training emails as realistic as possible and adjusting campaign frequency to users according to their ability. Aside from training, one of the most effective ways to handle this channel is to create processes that make secure behaviors easier to follow — and that make less secure behaviors more difficult. If you observe several instances of shadow IT being used by employees, this a sure sign that your program is failing at the behavioral layer.
• Cognition: Even employees who are invested in practicing good cyber hygiene and have trained their “muscle memory” to avoid threats still need to know about criminal tactics and objectives to avoid falling victim to them. Rote learning facts and figures without context is not only likely to put learners to sleep but it will be forgotten almost immediately. Providing contextual knowledge maximizes training benefits and is critical for employees to avoid threats. Absorbing new information and concepts takes time and the most effective way to learn is through repeated exposure to short lessons over an extended period. A series of narrative stories that illustrate learning objectives can be a highly effective method for teaching through the cognitive channel because it distributes learning over time while providing context and activating multiple memory systems.

The Bottom Line

To create more effective security awareness training that will have a lasting impact, utilize the three learning channels of attitude, behavior and cognition. Each channel requires a slightly different approach, and it is critical to address all three by obtaining employee investment in lessons, enabling them to practice translating lessons into action and giving them the required knowledge and context to avoid future threats.   
 

[1] “Why Employees Violate Cybersecurity Policies,” Harvard Business Review

[2] “Transformational Security Awareness: What Neuroscientists, Storytellers and Marketers Can Teach Us About Driving Secure Behaviors,” John Wiley & Sons, Inc.